IPS modules in Cisco ASA 5510 Active/Standby pair.

All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
Sent from Cisco Technical Support iPad App

Ok, that is what I needed to know.  The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure.  The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running.  If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality.  This is not worth the $1000 extra per year to us.
Thanks for the responses though.  That answers my questions.

Similar Messages

  • Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

    Hi,
    I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

    No, both units need the same hardware, that includes the installed modules.
    Sent from Cisco Technical Support iPad App

  • %ASA-7-710005: TCP request discarded error in Client to Site VPN in CISCO ASA 5510

    Hi Friends,
    I'm trying to built client to site VPN in CISCO ASA 5510 8.4(4) and getting below error while connecting cisco VPN client software. Also, I'm getting below log in ASA. Please help me to reslove.
    Error in CISCO VPN Client Software:
    Secure VPN Connection Terminated locally by the client.
    Reason : 414 : Failed to establish a TCP connection.
    Error in CISCO ASA 5510
    %ASA-7-710005: TCP request discarded from <Public IP> /49276 to outside:<Outside Interface IP of my ASA> /10000
    ASA Configuration:
    XYZ# sh run
    : Saved
    ASA Version 8.4(4)
    hostname XYZ
    domain-name XYZ
    enable password 3uLkVc9JwRA1/OXb level 3 encrypted
    enable password R/x90UjisGVJVlh2 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    nameif outside_rim
    security-level 0
    ip address 1.1.1.1 255.255.255.252
    interface Ethernet0/1
    duplex full
    nameif XYZ_DMZ
    security-level 50
    ip address 172.1.1.1 255.255.255.248
    interface Ethernet0/2
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 2.2.2.2 255.255.255.252
    interface Ethernet0/3
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 3.3.3.3 255.255.255.224
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    boot system disk0:/asa844-k8.bin
    ftp mode passive
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server xx.xx.xx.xx
    name-server xx.xx.xx.xx
    name-server xx.xx.xx.xx
    name-server xx.xx.xx.xx
    domain-name XYZ
    object network obj-172.17.10.3
    host 172.17.10.3
    object network obj-10.1.134.0
    subnet 10.1.134.0 255.255.255.0
    object network obj-208.75.237.0
    subnet 208.75.237.0 255.255.255.0
    object network obj-10.7.0.0
    subnet 10.7.0.0 255.255.0.0
    object network obj-172.17.2.0
    subnet 172.17.2.0 255.255.255.0
    object network obj-172.17.3.0
    subnet 172.17.3.0 255.255.255.0
    object network obj-172.19.2.0
    subnet 172.19.2.0 255.255.255.0
    object network obj-172.19.3.0
    subnet 172.19.3.0 255.255.255.0
    object network obj-172.19.7.0
    subnet 172.19.7.0 255.255.255.0
    object network obj-10.1.0.0
    subnet 10.1.0.0 255.255.0.0
    object network obj-10.2.0.0
    subnet 10.2.0.0 255.255.0.0
    object network obj-10.3.0.0
    subnet 10.3.0.0 255.255.0.0
    object network obj-10.4.0.0
    subnet 10.4.0.0 255.255.0.0
    object network obj-10.6.0.0
    subnet 10.6.0.0 255.255.0.0
    object network obj-10.9.0.0
    subnet 10.9.0.0 255.255.0.0
    object network obj-10.11.0.0
    subnet 10.11.0.0 255.255.0.0
    object network obj-10.12.0.0
    subnet 10.12.0.0 255.255.0.0
    object network obj-172.19.1.0
    subnet 172.19.1.0 255.255.255.0
    object network obj-172.21.2.0
    subnet 172.21.2.0 255.255.255.0
    object network obj-172.16.2.0
    subnet 172.16.2.0 255.255.255.0
    object network obj-10.19.130.201
    host 10.19.130.201
    object network obj-172.30.2.0
    subnet 172.30.2.0 255.255.255.0
    object network obj-172.30.3.0
    subnet 172.30.3.0 255.255.255.0
    object network obj-172.30.7.0
    subnet 172.30.7.0 255.255.255.0
    object network obj-10.10.1.0
    subnet 10.10.1.0 255.255.255.0
    object network obj-10.19.130.0
    subnet 10.19.130.0 255.255.255.0
    object network obj-XXXXXXXX
    host XXXXXXXX
    object network obj-145.248.194.0
    subnet 145.248.194.0 255.255.255.0
    object network obj-10.1.134.100
    host 10.1.134.100
    object network obj-10.9.124.100
    host 10.9.124.100
    object network obj-10.1.134.101
    host 10.1.134.101
    object network obj-10.9.124.101
    host 10.9.124.101
    object network obj-10.1.134.102
    host 10.1.134.102
    object network obj-10.9.124.102
    host 10.9.124.102
    object network obj-115.111.99.133
    host 115.111.99.133
    object network obj-10.8.108.0
    subnet 10.8.108.0 255.255.255.0
    object network obj-115.111.99.129
    host 115.111.99.129
    object network obj-195.254.159.133
    host 195.254.159.133
    object network obj-195.254.158.136
    host 195.254.158.136
    object network obj-209.164.192.0
    subnet 209.164.192.0 255.255.224.0
    object network obj-209.164.208.19
    host 209.164.208.19
    object network obj-209.164.192.126
    host 209.164.192.126
    object network obj-10.8.100.128
    subnet 10.8.100.128 255.255.255.128
    object network obj-115.111.99.130
    host 115.111.99.130
    object network obj-10.10.0.0
    subnet 10.10.0.0 255.255.0.0
    object network obj-115.111.99.132
    host 115.111.99.132
    object network obj-10.10.1.45
    host 10.10.1.45
    object network obj-10.99.132.0
    subnet 10.99.132.0 255.255.255.0
    object-group network Serversubnet
    network-object 10.10.1.0 255.255.255.0
    network-object 10.10.5.0 255.255.255.192
    object-group network XYZ_destinations
    network-object 10.1.0.0 255.255.0.0
    network-object 10.2.0.0 255.255.0.0
    network-object 10.3.0.0 255.255.0.0
    network-object 10.4.0.0 255.255.0.0
    network-object 10.6.0.0 255.255.0.0
    network-object 10.7.0.0 255.255.0.0
    network-object 10.11.0.0 255.255.0.0
    network-object 10.12.0.0 255.255.0.0
    network-object 172.19.1.0 255.255.255.0
    network-object 172.19.2.0 255.255.255.0
    network-object 172.19.3.0 255.255.255.0
    network-object 172.19.7.0 255.255.255.0
    network-object 172.17.2.0 255.255.255.0
    network-object 172.17.3.0 255.255.255.0
    network-object 172.16.2.0 255.255.255.0
    network-object 172.16.3.0 255.255.255.0
    network-object host 10.50.2.206
    object-group network XYZ_us_admin
    network-object 10.3.1.245 255.255.255.255
    network-object 10.5.33.7 255.255.255.255
    network-object 10.211.5.7 255.255.255.255
    network-object 10.3.33.7 255.255.255.255
    network-object 10.211.3.7 255.255.255.255
    object-group network XYZ_blr_networkdevices
    network-object 10.200.10.0 255.255.255.0
    access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
    access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.21
    access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.22
    access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
    access-list XYZ_PAT extended permit ip 10.19.130.0 255.255.255.0 any
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.159.133
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.158.136
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 any
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 209.164.192.0 255.255.224.0
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.208.19
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.192.126
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
    access-list nonat extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
    access-list nonat extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
    access-list nonat extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
    access-list nonat extended permit ip object-group Serversubnet object-group XYZ_destinations
    access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.2.0.0 255.255.0.0
    access-list nonat extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
    access-list nonat extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
    access-list Guest_PAT extended permit ip 10.8.108.0 255.255.255.0 any
    access-list Cacib extended permit ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
    access-list Cacib_PAT extended permit ip 10.8.100.128 255.255.255.128 any
    access-list New_Edge extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 172.17.2.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.17.3.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.19.2.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.19.3.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.19.7.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.2.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.4.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.6.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.9.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.12.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.19.1.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.21.2.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.16.2.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.30.2.0 255.255.255.0 host 10.19.130.201
    access-list XYZ_global extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.30.3.0 255.255.255.0 host 10.19.130.201
    access-list XYZ_global extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.30.7.0 255.255.255.0 host 10.19.130.201
    access-list XYZ_global extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
    access-list XYZ_global extended permit ip object-group Serversubnet object-group XYZ_destinations
    access-list XYZ_global extended permit ip object-group XYZ_destinations object-group Serversubnet
    access-list ML_VPN extended permit ip host 115.111.99.129 209.164.192.0 255.255.224.0
    access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.208.19
    access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.192.126
    access-list Da_VPN extended permit ip host 10.9.124.100 host 10.125.81.88
    access-list Da_VPN extended permit ip host 10.9.124.101 host 10.125.81.88
    access-list Da_VPN extended permit ip host 10.9.124.102 host 10.125.81.88
    access-list Da_VPN extended permit ip host 10.9.124.100 10.125.81.0 255.255.255.0
    access-list Da_VPN extended permit ip host 10.9.124.101 10.125.81.0 255.255.255.0
    access-list Da_VPN extended permit ip host 10.9.124.102 10.125.81.0 255.255.255.0
    access-list Sr_PAT extended permit ip 10.10.0.0 255.255.0.0 any
    access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.80.64 255.255.255.192
    access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.64.0 255.255.240.0
    access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.85.46
    access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.86.46
    access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.80.64 255.255.255.192
    access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.64.0 255.255.240.0
    access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.85.46
    access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.86.46
    access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.80.64 255.255.255.192
    access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.64.0 255.255.240.0
    access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.85.46
    access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.86.46
    access-list XYZ_reliance extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
    access-list coextended permit ip host 2.2.2.2 host XXXXXXXX
    access-list coextended permit ip host XXXXXXXXhost 2.2.2.2
    access-list ci extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
    access-list ci extended permit ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list acl-outside extended permit ip host 57.66.81.159 host 172.17.10.3
    access-list acl-outside extended permit ip host 80.169.223.179 host 172.17.10.3
    access-list acl-outside extended permit ip any host 172.17.10.3
    access-list acl-outside extended permit tcp any host 10.10.1.45 eq https
    access-list acl-outside extended permit tcp any any eq 10000
    access-list acl-outside extended deny ip any any log
    pager lines 10
    logging enable
    logging buffered debugging
    mtu outside_rim 1500
    mtu XYZ_DMZ 1500
    mtu outside 1500
    mtu inside 1500
    ip local pool XYZ_c2s_vpn_pool 172.30.10.51-172.30.10.254
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-208.75.237.0 obj-208.75.237.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.2.0 obj-172.17.2.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.3.0 obj-172.17.3.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.2.0 obj-172.19.2.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.3.0 obj-172.19.3.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.7.0 obj-172.19.7.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.4.0.0 obj-10.4.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.6.0.0 obj-10.6.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.9.0.0 obj-10.9.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.11.0.0 obj-10.11.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.12.0.0 obj-10.12.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.1.0 obj-172.19.1.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.21.2.0 obj-172.21.2.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.16.2.0 obj-172.16.2.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.2.0 obj-172.30.2.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.3.0 obj-172.30.3.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.7.0 obj-172.30.7.0 no-proxy-arp route-lookup
    nat (inside,any) source static Serversubnet Serversubnet destination static XYZ_destinations XYZ_destinations no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-XXXXXXXX obj-XXXXXXXX no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-145.248.194.0 obj-145.248.194.0 no-proxy-arp route-lookup
    nat (inside,outside) source static obj-10.1.134.100 obj-10.9.124.100
    nat (inside,outside) source static obj-10.1.134.101 obj-10.9.124.101
    nat (inside,outside) source static obj-10.1.134.102 obj-10.9.124.102
    nat (inside,outside) source dynamic obj-10.8.108.0 interface
    nat (inside,outside) source dynamic obj-10.19.130.0 obj-115.111.99.129
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.159.133 obj-195.254.159.133
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.158.136 obj-195.254.158.136
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.0 obj-209.164.192.0
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.208.19 obj-209.164.208.19
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.126 obj-209.164.192.126
    nat (inside,outside) source dynamic obj-10.8.100.128 obj-115.111.99.130
    nat (inside,outside) source dynamic obj-10.10.0.0 obj-115.111.99.132
    nat (inside,outside) source static obj-10.10.1.45 obj-115.111.99.133
    nat (inside,outside) source dynamic obj-10.99.132.0 obj-115.111.99.129
    object network obj-172.17.10.3
    nat (XYZ_DMZ,outside) static 115.111.99.134
    access-group acl-outside in interface outside
    route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
    route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
    route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
    route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
    route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
    route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
    route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
    route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
    route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
    route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
    route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
    route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set vpn2 esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn6 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set vpn5 esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn7 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set vpn4 esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn1 esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn_reliance esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set c2s_vpn esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 86400
    crypto dynamic-map dyn1 1 set ikev1 transform-set c2s_vpn
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map vpn 1 match address XYZ
    crypto map vpn 1 set peer XYZ Peer IP
    crypto map vpn 1 set ikev1 transform-set vpn1
    crypto map vpn 1 set security-association lifetime seconds 3600
    crypto map vpn 1 set security-association lifetime kilobytes 4608000
    crypto map vpn 2 match address NE
    crypto map vpn 2 set peer NE_Peer IP
    crypto map vpn 2 set ikev1 transform-set vpn2
    crypto map vpn 2 set security-association lifetime seconds 3600
    crypto map vpn 2 set security-association lifetime kilobytes 4608000
    crypto map vpn 4 match address ML_VPN
    crypto map vpn 4 set pfs
    crypto map vpn 4 set peer ML_Peer IP
    crypto map vpn 4 set ikev1 transform-set vpn4
    crypto map vpn 4 set security-association lifetime seconds 3600
    crypto map vpn 4 set security-association lifetime kilobytes 4608000
    crypto map vpn 5 match address XYZ_global
    crypto map vpn 5 set peer XYZ_globa_Peer IP
    crypto map vpn 5 set ikev1 transform-set vpn5
    crypto map vpn 5 set security-association lifetime seconds 3600
    crypto map vpn 5 set security-association lifetime kilobytes 4608000
    crypto map vpn 6 match address Da_VPN
    crypto map vpn 6 set peer Da_VPN_Peer IP
    crypto map vpn 6 set ikev1 transform-set vpn6
    crypto map vpn 6 set security-association lifetime seconds 3600
    crypto map vpn 6 set security-association lifetime kilobytes 4608000
    crypto map vpn 7 match address Da_Pd_VPN
    crypto map vpn 7 set peer Da_Pd_VPN_Peer IP
    crypto map vpn 7 set ikev1 transform-set vpn6
    crypto map vpn 7 set security-association lifetime seconds 3600
    crypto map vpn 7 set security-association lifetime kilobytes 4608000
    crypto map vpn interface outside
    crypto map vpn_reliance 1 match address XYZ_rim
    crypto map vpn_reliance 1 set peer XYZ_rim_Peer IP
    crypto map vpn_reliance 1 set ikev1 transform-set vpn_reliance
    crypto map vpn_reliance 1 set security-association lifetime seconds 3600
    crypto map vpn_reliance 1 set security-association lifetime kilobytes 4608000
    crypto map vpn_reliance interface outside_rim
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    crypto isakmp identity address
    no crypto isakmp nat-traversal
    crypto ikev1 enable outside_rim
    crypto ikev1 enable outside
    crypto ikev1 policy 1
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 28800
    crypto ikev1 policy 2
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto ikev1 policy 4
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 28000
    crypto ikev1 policy 5
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    crypto ikev1 policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 10.8.100.0 255.255.255.224 inside
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    no threat-detection basic-threat
    no threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy XYZ_c2s_vpn internal
    username testadmin password oFJjANE3QKoA206w encrypted
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXXtype ipsec-l2l
    tunnel-group XXXXXXXXipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XYZ_c2s_vpn type remote-access
    tunnel-group XYZ_c2s_vpn general-attributes
    address-pool XYZ_c2s_vpn_pool
    tunnel-group XYZ_c2s_vpn ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect icmp
      inspect ip-options
    service-policy global_policy global
    privilege show level 3 mode exec command running-config
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command crypto
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
    : end
    XYZ#

    Thanks Javier.
    But i have revised the VPN confuration. Below are the latest configs. with this latest configs. I'm getting username & password screen while connecting cisco vpn client software. once we entered the login credential. it shows "security communication channel" then it goes to "not connected" state. Can you help me to fix this.
    access-list ACL-RA-SPLIT standard permit host 10.10.1.3
    access-list ACL-RA-SPLIT standard permit host 10.10.1.13
    access-list ACL-RA-SPLIT standard permit host 10.91.130.201
    access-list nonat line 1 extended permit ip host 10.10.1.3 172.30.10.0 255.255.255.0
    access-list nonat line 2 extended permit ip host 10.10.1.13 172.30.10.0 255.255.255.0
    access-list nonat line 3 extended permit ip host 10.91.130.201 172.30.10.0 255.255.255.0
    ip local pool CO-C2S-VPOOL 172.30.10.51-172.30.10.254 mask 255.255.255.0
    group-policy CO-C2S internal
    group-policy CO-C2S attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list vlauel ACL-RA-SPLIT
    dns-server value 10.10.1.3
    tunnel-group TUN-RA-SPLIT type remote-access
    tunnel-group TUN-RA-SPLIT general-attributes
    default-group-policy CO-C2S
    address-pool CO-C2S-VPOOL
    tunnel-group TUN-RA-SPLIT ipsec-attributes
    pre-shared-key sekretk3y
    username ra-user1 password passw0rd1 priv 1
    group-policy CO-C2S internal
    group-policy CO-C2S attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list vlauel ACL-RA-SPLIT
    dns-server value 10.10.1.3
    tunnel-group TUN-RA-SPLIT type remote-access
    tunnel-group TUN-RA-SPLIT general-attributes
    default-group-policy CO-C2S
    address-pool CO-C2S-VPOOL
    tunnel-group TUN-RA-SPLIT ipsec-attributes
    pre-shared-key *********
    username ******* password ******** priv 1
    crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set 3DES
    crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
    crypto isakmp identify address
    crypto isakmp enable outside
    crypto isakmp policy 100
    authentication pre-share
    encr 3des
    hash sha
    crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set 3DES
    crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
    crypto map vpn interface outside
    crypto isakmp identify address
    crypto isakmp enable outside
    crypto isakmp policy 100
    authentication pre-share
    encr 3des
    hash sha
    group 1
    lifetime 3600

  • Web Filtering Cisco ASA 5510

    Hello !
    I m a netword administrator, and i have been looking how to setup web filtering in a network, we are using cisco asa 5510 as a firewall and i have been looking for a way to block url such as facebook and streaming web sites since users are allowed to access to any website and they have been downloding stuff lately and i cant controll the bandwith!!
    What u guys recommand !
    Thanks

    Hi Neji,
    Here you have all the content security options available on the ASA. I think only the CX doesn't apply to your HW but the other options are available.
    Block URLs using Regular Experessions (Regex)
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
    CSC module:
    http://www.cisco.com/en/US/products/ps6823/index.html
    How to enable the CSC module:
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html
    ASA CX module (ASA 5512,5525,5545,5545,5555)
    http://www.cisco.com/en/US/docs/security/asa/quick_start/cx/cx_qsg.html
    Scansafe:
    http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/scansafe.html
    Configuration Cisco Cloud Web Security
    http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html#wp1559223
    Ironport:
    http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/ironport.html
    How to integrate the ASA with Ironport (WCCP):
    https://supportforums.cisco.com/docs/DOC-12623
    HTH
    Luis Silva
    "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
    http://www.cisco.com/web/partners/tools/pdihd.html

  • Cisco ASA 5510 Content Security bundle

    Hello,
    please help me  to understand if i buy  the    Cisco ASA 5510 Content Security bundle  for  my  network   found  there is   1 yr subscription for the content
    security features.  what are  services included in it.  Does   URL blocking and filtering  includ  in this subscription  or  its a seperate features.
    Thanks,
    Saroj Pradhan

    Here is the license for CSC module and it lists what is included in Basic and Plus CSC license:
    http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html#wp1045405
    One year subscription is providing you the ability to upgrade the virus scan engine, spyware pattern file, anti spam, etc

  • Cisco ASA 5510 Site to Site VPN with Sonicwall

    I am trying to setup a VPN tunnel between a Cisco ASA 5510 (Version 8.2(2)) and Sonicwall TZ200. I got tunnel up and going and I am able to ping the Cisco ASA internal IP from the Sonicwall LAN but nothing else works. When I try to ping a host behind the Cisco ASA from the Sonicwall LAN I get the following message "Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx denied due to NAT reverse path failures" on the ASA
    Googling the above error shows issues with version 8.3 and later which looked like the nat commands were changed but the ASA I am working on is still on 8.2 and the other common issue is not adding a NAT exemption. I have double-triple checked that I did add a NAT exception rule from the hosts on the cisco network to the hosts on the Sonicwall network. Seems like I have hit a road block so any help would be appreciated. Thanks
    Here are some excertps from the config file (10.20.2.0 behind the cisco and 10.20.10.0 behind the sonicwall)
    nat (inside) 0 access-list nonat
    access-list nonat extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer x.x.x.x
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    group-policy SiteToSitePolicy internal
    group-policy SiteToSitePolicy attributes
    vpn-idle-timeout none
    vpn-tunnel-protocol IPSec
    split-tunnel-network-list none
    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group x.x.x.x general-attributes
    default-group-policy SiteToSitePolicy
    tunnel-group x.x.x.x ipsec-attributes
    pre-shared-key *****
    Added few excerpts from config file

    Yes inspect icmp is enabled in global_policy
    The ping requests time out (The only ping that works is when I ping from the remote side to the ASA internal IP address, no other pings from either side work)
    #show crypto isakmp sa
    1   IKE Peer: x.x.x.x
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    #show crypto ipsec sa
    interface: outside
        Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x
          access-list outside_2_cryptomap extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0
          local ident (addr/mask/prot/port): (10.20.2.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)
          current_peer: y.y.y.y
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 39543, #pkts decrypt: 39543, #pkts verify: 39543
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y
          path mtu 1500, ipsec overhead 58, media mtu 1500
          current outbound spi: 0ED0F897
          current inbound spi : 596CCE6F
        inbound esp sas:
          spi: 0x596CCE6F (1500302959)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 2, }
             slot: 0, conn_id: 50327552, crypto-map: outside_map
             sa timing: remaining key lifetime (sec): 7440
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x0ED0F897 (248576151)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 2, }
             slot: 0, conn_id: 50327552, crypto-map: outside_map
             sa timing: remaining key lifetime (sec): 7440
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001

  • Cisco ASA 5510 site to site VPN only

    Hi,
    Need some expert help. I will be deploying the CISCO ASA 5510 in VPN site to site scenario only. One interface will be for the WAN and the other LAN interface is connected to another firewall appliance. The main purpose of the ASA is for branch site VPN connection only. My default gateway is pointing to the Internet router on my WAN inteface. Should NAT be enabled on my WAN inteface? The only expected traffic to go thru my ASA is VPN traffic to the other site. I have already defined static routes and have gone thru the wizard for site to site VPN and added my local and remote networks. Also how do I approach my access policies, the default deny any any is in place. Should I allow anything on it? The firewall connected to my LAN interface is expected to do the filtering, like I said the ASA's purpose is just to do VPN site to site. Thanks all

    Thanks Jon. That is what I want to clarify as well, running the VPN site to site wizard, will automatically create the 'cryptomap' access rules, will the existing deny all rule apply to the VPN traffic? I think there was an option that VPN traffic will bypass access rules.
    So having NAT enabled for anything that goes out on My WAN inteface would not matter at all, even if the VPN traffic will go out of that interface right? Hope I don't sound confusing.
    As per your second question, I know it sounds weird and is not good network design, but customer just renewed maintenance contract for the other firewall box that is why he does not want to get rid of it yet. Although ISA can perform the function as well. Thanks.

  • How to configure QOS on certain IP in the Cisco ASA 5510

    Hi,
    I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7
    Can this done on a ASA 5510 series? if yes can you help me how ?
    Regards,
    Venkat

    Yes you can do it.You can match the ip addresses in an access-list, put in a class-map and the class-map in a policy map that will do policing.
    Good examples for what you want to do are here https://supportforums.cisco.com/docs/DOC-1230
    I hope it helps.
    PK

  • NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

    Hi everyone,
    Hoping someone can help please.
    We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
    We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
    What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
    then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
    Has anyone implemented this before and if so, are there any guides available please?
    Many Thanks,
    Dean.

    Hi Dean,
    Thanks for posting here.
    Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
    Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
    Checklist: Configure NPS for Dial-Up and VPN Access
    http://technet.microsoft.com/en-us/library/cc754114.aspx
    Thanks.
    Tiger Li
    Tiger Li
    TechNet Community Support

  • How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)

    Hi All,
    How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)
    Thanks
    Roopesh

    Hi Roopesh,
    Please go through this document for detailed documentation on captures:
    https://supportforums.cisco.com/docs/DOC-17814
    Hope that helps.
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • Active/standby pair + Oracle db parameter FAILTHRESHOLD

    Assume we have 3 databases
    TT_A - timesten Active
    TT_S - timesten Standby
    O - oracle db.
    SETURN MODE twosafe
    Storage atributes
    RETURN SERVICES OFF WHEN REPLICATION STOPPED;
    FAILTHRESHOLD set to 10 value.
    Two timesten databases are in consistent state.
    Aplication update TT_A.
    TT_S replication data to ORACLE.
    Assume we stop replication.
    So application can run on TT_A.
    After 10 log switch TT_S will be marked as failed.
    All logs waiting for TT_S will be delete.
    So how oracle receiv the data ?

    In active standby pair replication, cache operations are tightly coupled with replication. In normal operation of AWT cache group within an A/S pair, updates occur at the active which replicates them to the standby and then the standby pushes them to Oracle. The active and standby continually exchange housekeeping information about what transactions have been committed at the standby and which have been committed, via AWT, at Oracle. The active and the standby will only purge transaction logs for transactions that they know are safely stored in all 3 places. If the standby fails then, as long as you tell the active that it has failed (via a call to ttRepStateSave()), the active will take over the AWT push from the last transaction that it knows was safely committed in Oracle. No data will be lost.
    If you are using oracle Clusterware to manage your A/S pair then you don't need to do anything as Clusterware will perform the necessary notification to the active that the standby has failed.
    Chris

  • Active standby pair Replication scheme

    Hi
    I just want to know that is this possible to have "Active Active pair".
    Actually i want to create pair in which both Masters are in Active mode.None master is in standby mode.
    Please ....
    Regards
    Muh.Usman

    Could you please elaborate why you need active/active? Active/active configurations are potentially dangerous with any replication technology and are discouraged. TimesTen Active/Standby pair replication does nto support active/active (the clue is in he name :-)). TimesTen legacy replication does support active/active in some scenarios but if you use that then you cannot use Oracle caching. If you want to use both replication and Oracle caching then realistically you must use Active/Standby pair replication.
    Chris

  • Active Standby Pair Clustering.

    Hi Chris, I had created ActiveStandby Pair as follows:
    Server 1 => DSN: TTCluster1
    Server 2 => DSN: TTCluster2.
    Then I created ActiveStandby Pair in Server1, Started RepAgent and then Duplicated the DSN on Server 2 with name TTCluster 2. It worked fine.
    Now to access it from the client server mode, I created Client DSN on Client machine using Virtual IP. (Using Linux Cluster Manager).
    But inthis case I had to create two client DSN. TTCluster1Client and TTCluster2client. Since Application can connect to only one DSN and shifting to other while failover is very difficult.
    So I am trying following model now, Let me know your views on this.
    Server 1 and Server 2, both will have same DSN name "TTCluster".
    Client Machin will have only one DSN "TTClusterClient" using VIP.
    When the Server1 failes, Server 2 will take over and there is no need of shifting client DSN. Application will be routed to Server 2 after switch over.
    Step1: created server DSN "TTCluster" on Server 1 and Server 2.
    Step2: created user 'ttcluster' on Server 1 and Server 2.
    Step3: Create DataStore TTCluster on Server 1. (By connecting to TTCluster).
    Step4: Create Cache Groups (AWT) on Server1.
    Step5: Started Cache Agent on Server1.
    Step6: Created ActiveStandby Pair on Server1 as follows:
    CREATE ACTIVE STANDBY PAIR
    TTCluster ON "wabtectimesten.patni.com",
    TTCluster ON "wabtectimesten2.patni.com"
    RETURN TWOSAFE
    STORE TTCluster PORT 20000 TIMEOUT 120;
    Step8: executed ttrepstateset('ACTIVE') on server1.
    Step9: Started Replication Agent on Server1.
    Step10: Duplicated DataStore on Server2.
    Issues:
    Server2 is not coming up as Standby. The log on Server1 shows following messages:
    15:19:33.83 Warn: REP: 8671: TTCLUSTER:receiver.c(1723): TT16060: Failed to read data from the network. select() timed out
    15:19:37.09 Err : REP: 8671: TTCLUSTER:receiver.c(3428): TT16142: Failed to retrieve peer information. No peers found
    15:19:37.09 Err : REP: 8671: TTCLUSTER:transmitter.c(5523): TT16229: Transmitter thread failure due to lack of state consistency at subscriber store _ORACLE
    Question:
    While creating replication scheme I have mentioned.
    STORE TTCluster PORT 20000 TIMEOUT 120;
    I need to define the timeout for both DataStores. How will I do that?
    The above timeout will be applicable for which datastore??
    Can you please let me know if I am going in the right direction???

    Hi Tanweer,
    When designing a monitoring scheme for TimesTen one has to bear a few things in mind (though not all will be relevant in every case):
    1. There could be multiple 'instances' of TimesTen installed on a machine. Each instance is completely independent and must be monitoried separately.
    2. Each instance has a 'main daemon' (timestend) that is the instance master supervisor. If this daemon is running and healthy then the 'instance' is considered to be 'up' and 'healthy'.
    3. Each instance can manage multiple datastores. Each datastore is independent from the others and so each datastore must be monitored separately.
    4. Each datastore may be using replication and/or cache connect. If so, these must also be monitored as well as the datastore since it is perfectly possible e.g. for the datastore to be healthy but for replication to be 'down'.
    Depending on your requirements, your monitoring mechanism must 'model' this structure and relationships...
    - If the instance main daemon is not running, or is not responding, then the entire instance is 'down' and all datastores managed by the instance should also be considered as 'down'
    - If a datastore goes down (e.g. call invalidate), other stores in the instance are not affected and neither is the main daemon for the instance. They will continue to operate normally.
    - A datastore may be healthy in itself but maybe replication or cache connect for the datastore is not healthy. Do you then consider the datastore as down? That depends on your applications requirements!
    Hopefully this helps to clarify the interrelationship of components. Crashing a datastore by calling 'invalidate' does not crash the daemon (if it does then that is a bug!).
    For monitoring the instance (main daemon) there are a few options:
    1. ps -ef | grep timestend. This can detect if the daemon process is running but not if it is healthy...
    2. Connect to a datastore. Every connect/disconnect request is processed via the main daemon so if the daemon is not healthy this will result in some error (usually a 'cannot communicate with the daemon' error). However, connect/disconnect are relatively expensive so you don't want to do this too often.
    3. Have a monitoring process that maintains an open connection to the instance level datastore (DSN=TT_<instancename>). Periodically (as often as required within reason) it can execute the built in procedure ttDataStoreStatus() passing it the pathname of the instaance datastore checkpoint files (obtainable from the built in procedure ttConfiguration). This procedure communicates with the main daemon so will either return success (meaning daemon is okay) or an error (daemon is in big trouble).
    If you have to do the test from a script then I would suggest that (2) is best but if you can do it from a continually running monitoring process then (3) is better.
    For monitoring a datastore the best way to ascertain overall health is as follows:
    1. Have a dummy table in the datastore. And as part of the check update a row in th dummy and commit the transaction. If this returns success then this shows that the datastore is up and able to service update requests (which means it is also okay for read requests).
    2. You should also monitor the available space in the datastore and warn someone or something if the free space gets too low. You can query space allocation, current usage and high watermark usage from the SYS.MONITOR table. You can also configure TimesTen to generate SNMP traps and/or return warnings to applications if space usage exceeds some configured threshold. The objective is to take proactive action to prevent the datastore becoming full since that will require more disruptive corrective action.
    For monitoring replication you should periodically:
    1. Check that the datastore's repagent is running (you can do this using ttDatastoreStatus)
    2. Check the status of each replication peer by calling ttReplicationStatus and checking the values of pstate (should be 'start') logs (if this value increases over time then the peer is in some kind of trouble) and lastMsg (if there is no message from the peer for a long time then it may be in some kind of trouble).
    3. Sometimes an easier way is to have a dummy table set up for synchronous replication and do an update+commit for a row in that table. if replicatioin is working the commit will return within a few ms at most. If you get a timeout error returned that tells you that replication is in trouble,
    To monitor cache connect is not so easy at present.
    For AWT cache groups, the same monitoring as is used for replication is okay).
    For SWT cache groups, if the sync to Oracle is not working every commit will get an error (so that's kind of obvious).
    For AUTOREFRESH cache groups it's a bit harder. There is currenyly no supported way to determine when the last successful autorefresh occurred. I am hoping this capability will be added in a future release.
    Sorry if that is a bit long winded - I hope it helps...
    Chris

  • Ask timesten 11.2 Using Oracle Clusterware to Manage Active Standby Pair

    Using Oracle Clusterware to Manage Active Standby Pairs
    http://download.oracle.com/docs/cd/E13085_01/doc/timesten.1121/e13072/cluster.htm#CCHCFAAD
    What is that mean ?
    I have to use Share Storage for... Oracle Clusterware?
    I think right?... or wrong ?
    Can I have VIP on Master node, and then master down... standby will active with VIP, right ?

    A TimesTen A/S pair is a replicated configuation where a pair of TimesTen datastores, usually located on different machines, act in many ways as a single unit. The active master can process both queries and DML (insert/update/delete) while the standby master can only process queries (think of this as a little like Active Dataguard). Applications that run on the same machine as one of the TT datastores can connect to it via the very high performance 'direct mode' while applications running on other machines can access the datastores in client/server mode. There is a clearly defined procedure for failing over if the active master fails (which involves promoting the standby master to active) and for recovering a failed store back to the correct role. Direct mode applications must failover with the datastore whereas for client/server applications the connection(s) need to be failed over. The basic A/S pair replication mechanism has been available since TimesTen 6.0. The replication configuration is defined via special SQL syntax and monitoring and management (failover control etc.) is performed by way of built-in procedure calls. However, in TT 6.0 and 7.0 the actual monitoring and management of the A/S pair, including failover, is left for the user to implement themselvses or via some custom integration with an external cluster manager.
    TimesTen 11g adds two major new capabilities:
    1. Automatic client connection failover for client/server connections. Think of this as very similar to Oracle DB TAF and FAN. This does not require VIPs or Clusterware since it is implemented completely within TimesTen. However it works very well when used in onjunction with Clusterware.
    2. A deep integration between TimesTen and Oracle Clusterware. All aspects of Timesten A/S pair definition, deployment, management and recovery are handled by Clusterware. There is just a single configuration file and a single TimesTen utility (ttCWAdmin) involved. Of course you need a properly configured Clusterware setup first which will require some form of shared storage (for OCR and voting disks) but TT storage (checkpoint and log files) does not need to be on shared storage. Setting up TT for use with Clusterware is very quick and easy (maybe 30 minutes the first time you do it and much quicker thereafter once you know what you are doing). From then on Clusterware will manage all aspects of failover and recovery completely automatically. VIPs are not required but can be used if desired e.g. for application failover purposes. Clusterware can also manage the failover of direct mode applications. Also, you can define automated backup cycles and spare nodes that can be used if a node suffers some permanent failure. The Clusterware integration offers very rich functionality but also very fast failover (typically just a few seconds in my testing).
    Hope that helps clarify.
    Chris

  • Safe way to reboot Active/Standby Pair

    Hello,
    I have the need to reboot my ASA5520. We have a Active/Standby pair and I want to make sure that they come up playing nicely and not in a tug of war.
    Any advice on the proper way to reload these machines and optimize uptime??
    Thanks,
    Pedro

    Pedro
    If you are not bothered as to which one becomes primary then simply pick one, reload, wait until it has come up and then reload the other one.
    As long as you have failover correctly configured there should be minimal downtime, just the time it takes to fail over when you reload.
    If you want the primary to stay as the primary then you need to reload this one first, let it come up as standby, then reload the other one and the former primary will now become the primary again.
    Note that reloading the standby first is the best approach simply because you only then have one failover ie. when the standby comes backup and resumes it's standby funtionality and then you reload the primary there will be a failover.
    Jon

Maybe you are looking for

  • 1.0.4

    Who's going to jump first? Follow the links in this [thread|http://discussions.apple.com/thread.jspa?threadID=1829276&tstart=0] as it appears, at least at this point in time, that Software Update does not have this current version. As always, ask you

  • Poor performance playing .mts files in source monitor

    OK is Adobe really that far behind in writing up some code that can handle AVCHD .mts files? I transfer the .mts files from my camera to the hard drive, access them in PP via the media browser, import them to the project panel and when I try to play

  • Table of Freight that is maintained during Billing?

    hi Experts, actually, we put the appropriate Freight at the time of Billing the Sales Order (using Tcode VF02), and after creating a hundreds of Billing documents, we need to change that documents that contain Freight. so isn't there any table, that

  • Problems With iPhoto on NTFS Partition...HELP!

    So, I backed up all my PhotoStream before iCloud removed my complimentary storage.  I backed it up to my iPhoto library I placed on my NTFS partition of my external hard drive.  Everything looked great.  I could access all my photos.  Next day, the f

  • IMac freezing when I run powerpoint presentation

    I have an iMac 2.16 GHz Inter Core 2 Duo Processor with 2 GB 667 MHz Memory. Lately when I open a powerpoint presentation that is sent via e-mail, as soon as it opens up, the computer will freeze up on the first slide. Has this happened to anyone els